HIPAA Requirements for Non-Healthcare Businesses in 2026

HIPAA applies to more businesses than most owners realize, OCR is actively enforcing it right now, and in April 2026 one of their largest single-day enforcement actions included a fine against an employer-sponsored health plan rather than a hospital or clinic.

If your company offers health benefits to your team, handles data for any healthcare client, or operates anywhere near what sounds like "healthcare territory," this matters to you.

Why April's HIPAA Settlements Are Worth Paying Attention To

On April 23, 2026, the HHS Office for Civil Rights announced four separate ransomware investigation settlements in a single day. Total: $1,165,000.

The four entities:

  • Assured Imaging (an imaging services company): $375,000
  • Axia Women's Health clinic network: $320,000
  • Star Group Health Benefits Plan (an employer group health plan): $245,000
  • Consociate Health (a benefits administrator): $225,000

All four had experienced ransomware attacks. All four had different security environments. And in all four cases, OCR cited the same core problem: failure to conduct an accurate and thorough risk analysis.

Not failure to stop the ransomware. Failure to document that they had ever formally assessed their security risks before the attack happened.

The detail that changes who should be reading this: Star Group Health Benefits Plan is not a healthcare provider. It is an employer-sponsored group health plan. The kind that a 50-person company might offer to its employees. OCR fined it $245,000 and put it under a two-year corrective action plan.

Does HIPAA Actually Apply to Your Business?

The default assumption for most business owners outside of healthcare is no. That assumption is wrong for more companies than you might think in the 25-to-200-person range.

HIPAA reaches two categories of organizations:

Covered entities include health plans. If your company offers a self-funded or partially self-funded group health plan, you are a HIPAA covered entity. The same obligations that apply to a hospital apply to you: risk analysis, security safeguards, breach notification. The Star Group settlement is the clearest enforcement signal OCR has sent to employers in years.

Business associates are vendors and service providers that handle protected health information on behalf of a covered entity. The list is longer than most people expect. IT providers that support any healthcare client. HR technology platforms that process employee health data. Cloud storage vendors used by medical practices. Billing and transcription services. If your business touches protected health information as a vendor, OCR considers you a business associate with direct HIPAA Security Rule obligations.

A quick way to check: if you have a healthcare client and you have not signed a Business Associate Agreement with them, that is a compliance gap worth addressing now.

The Pattern Across All of OCR's 2026 Settlements

Looking back through the enforcement actions from early 2026, the pattern is consistent.

February 2026: Top of the World Ranch Treatment Center paid $103,000 after a phishing attack compromised patient records. Cited violation: failure to conduct a risk analysis.

March 2026: MMG Fusion, a software company, paid $10,000 (reduced due to financial condition). The breach exposed records of approximately 15 million individuals. Cited violation: failure to conduct a risk analysis.

April 2026: Four more. Same citation across all four.

As of January 2026, OCR had settled more than 50 HIPAA enforcement actions under its Risk Analysis Initiative. The consistent thread across those cases is not a specific security tool that failed or a specific vulnerability that was exploited. It is the absence of documented preparation before the event.

Organizations with no formal risk analysis have almost no defense in an OCR investigation. The agency is asking for evidence you assessed your environment and took steps to address what you found. Without documentation, there is nothing to show.

What a HIPAA Risk Analysis Actually Requires

A HIPAA risk analysis is not a one-page checklist and it is not a vulnerability scan alone. It is a documented assessment that identifies where protected health information exists in your systems, what specific threats and vulnerabilities apply to each location, the likelihood and potential impact of those threats, and what controls you have in place to address them.

OCR's January 2026 Cybersecurity Newsletter added another layer: the risk analysis has to be paired with active risk management. Identifying vulnerabilities is not enough. You need to show that you reduced them to an acceptable level and have evidence of follow-through.

For companies that have never completed one, or whose last formal assessment is more than 12 months old, the April settlements show the concrete cost of the gap.

For additional context on how threat patterns are evolving and what the data shows about how organizations get breached, the 2026 Verizon Data Breach Investigations Report is worth reviewing alongside the OCR enforcement trend.

What Is Coming: The Pending HIPAA Security Rule Overhaul

There is a significant rule change in the pipeline that is worth knowing about before it finalizes.

In January 2025, HHS published a proposed overhaul of the HIPAA Security Rule. The comment period closed in March 2025 with nearly 5,000 submissions. Finalization is expected around May 2026, with a 240-day compliance window after publication.

The biggest structural change: the elimination of the "required" vs. "addressable" distinction entirely. Under the current rule, multi-factor authentication and encryption are classified as "addressable" specifications, meaning organizations can document a reason for not implementing them. Under the proposed rule, both become mandatory. No workaround.

Other proposed requirements include vulnerability scanning every six months, annual penetration testing, critical patch cycles of 15 days for high-severity vulnerabilities, and enhanced business associate verification requirements. OCR has estimated first-year compliance costs at roughly $9 billion across the industry.

None of this is final. The current administration may modify some provisions. But the direction is clear. Organizations currently treating MFA or encryption as optional based on a cost decision should understand that option is closing.

The New Jersey Angle: A July 2026 Deadline

For businesses based in New Jersey or with significant New Jersey customer data, there is an additional deadline arriving soon.

The New Jersey Data Privacy Act (NJDPA) went into effect January 15, 2025. Since then, the AG's office has been required to give businesses a 30-day cure period before pursuing penalties. That requirement expires around July 15, 2026.

After that date, the New Jersey AG can pursue penalties with no advance notice. First violations start at $10,000 and subsequent violations at $20,000, assessed per violation.

The law applies to businesses collecting data on 25,000 or more New Jersey consumers annually, or those deriving more than 25% of gross revenue from selling consumer data. A growing business with an active customer base in New Jersey may qualify without realizing it. Implementing regulations are still being finalized following the recent gubernatorial transition, but the enforcement mechanism activates in July regardless.

Two Questions to Start With

The starting point does not need to be complicated.

First: does HIPAA apply to your organization? If you offer a self-funded group health plan or have any vendor relationship with a healthcare client, the answer is likely yes and worth confirming formally. The Star Group settlement makes clear that OCR is no longer limiting enforcement to traditional healthcare providers.

Second: when was your last formal, documented risk analysis? If the answer is never or more than 12 months ago, you are in the same position as the four companies that settled in April.

The businesses that come through OCR investigations without significant penalties are not the ones with the newest security tools. They are the ones with documented programs, current risk assessments, and evidence that they acted on the findings. That is the compliance baseline. Everything else is variable.

For more on building the kind of documented IT and compliance program that holds up under scrutiny, our managed IT services practice covers the practical infrastructure side of staying current.

Frequently Asked Questions

Does HIPAA apply to businesses outside of healthcare?

Yes. Businesses outside of healthcare can be subject to HIPAA in two ways. If a company operates a self-funded or partially self-funded group health plan for employees, it is a covered entity with full HIPAA obligations. If a company handles protected health information on behalf of a healthcare client, it is a business associate. Both are subject to the HIPAA Security Rule and risk analysis requirements.

What is a HIPAA risk analysis?

A HIPAA risk analysis is a formal, documented assessment covering where protected health information exists in an organization's systems, what threats and vulnerabilities apply to each location, the likelihood and impact of those threats, and what controls address them. OCR has cited failure to conduct an accurate risk analysis as the primary violation in more than 50 enforcement actions. Organizations must also demonstrate active risk management: identifying vulnerabilities is not enough without evidence of follow-through.

What did the April 2026 OCR settlements involve?

On April 23, 2026, OCR settled four ransomware investigations in a single day for a combined total of $1,165,000. The settled entities included an imaging company, a women's health clinic network, an employer-sponsored health plan, and a benefits administrator. All four settlements cited failure to conduct a risk analysis as the primary violation. The inclusion of an employer health plan was unusual and directly relevant for growing businesses that offer employee benefits.

What changes are coming to the HIPAA Security Rule?

HHS proposed major updates to the HIPAA Security Rule in January 2025 that would eliminate the distinction between required and addressable safeguards. If finalized as proposed, MFA and encryption would become mandatory for all covered entities and business associates. Finalization is expected around May 2026, followed by a 240-day compliance window. Organizations currently treating MFA or encryption as optional based on documented justifications should begin planning.

What is the New Jersey Data Privacy Act cure period deadline?

The New Jersey Data Privacy Act became effective January 15, 2025. Until approximately July 15, 2026, the state AG must give businesses a 30-day cure period before pursuing penalties. After that date, the AG can pursue penalties without notice. First violations start at $10,000 and subsequent violations at $20,000.

If you are uncertain whether HIPAA applies to your organization or you have not completed a formal risk analysis recently, reach out to talk through where you stand. The April settlements make clear that OCR is actively enforcing against a wider category of organizations than most businesses expect.
← Back to Blog